Privacy Policy
Introduction
This document constitutes our Privacy Policy, drawn up in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as "GDPR", and other legislation applicable to the protection of personal data.
We would like to inform you that the collection and processing of your personal data carried out by our company strictly complies with current data protection legislation. By accessing our website or applications, you agree to the conditions described in the Privacy Policy. We recommend that you read this document carefully to understand how your data is processed.
Equação Perspicaz Unipessoal, Lda. is committed to protecting the privacy of its users. This policy details how your personal data is collected, used and stored when you interact with the company's services, the DocBay Platform and/or mobile applications. It is important to note that Perspicacious Equation may update this policy from time to time to ensure that it is in line with current laws and regulations. By using the services of Equação Perspicaz Unipessoal, Lda., you agree to the practices described in this policy.
Data controller
Equação Perspicaz Unipessoal, Lda., hereinafter referred to as "DocBay", is the entity responsible for obtaining, storing and using the personal information provided to us. We operate and maintain the <www.docbay.com> platform and the DocBay Patient and DocBay Pro applications. We are transparent about how we process your data and we use your information to provide search services, book appointments, treatments, information requests, teleconsultations and messaging services with healthcare professionals. In addition, we may also use the data to improve and personalise the user experience.
Data processing
This privacy policy establishes the principles and guidelines we follow to guarantee the protection and confidentiality of our users' personal data. The collection and processing of personal data is carried out in accordance with the applicable legal regulations, ensuring the necessary transparency and security. For a better understanding, the list of data and services/products in which we process data has been set out in separate tables by profile.
Patient
| Data | DocBay Patient | Teleconsultation | Docbox | Smart Inventory |
|---|---|---|---|---|
| Name | ✓ | ✓ | ✓ | |
| Date of Birth | ✓ | ✓ | ✓ | |
| Gender | ✓ | ✓ | ✓ | |
| NIF | ✓(*) | ✓(*) | ✓(*) | |
| Address | ✓ | ✓ | ✓ | |
| Mobile phone number | ✓ | ✓ | ✓ | |
| ✓ | ✓ | ✓ | ||
| Blood Group | ✓(*) | ✓(*) | ✓(*) | |
| Clinical data (diseases, allergies, other) | ✓(*) | |||
| Face photo | ✓(*) | ✓(*) | ✓(*) | |
| Video | ✓(*) | |||
| Body photographs | ✓(*) |
(*) optional
Health professionals
| Data | DocBay Patient | Teleconsultation | Docbox | Smart Inventory |
|---|---|---|---|---|
| Name | ✓ | ✓ | ✓ | ✓ |
| Date of birth (??) | ||||
| Gender | ✓ | ✓ | ✓ | |
| NIF | ✓ | ✓ | ✓ | |
| Address | ✓ | ✓ | ✓ | |
| Mobile phone number | ✓ | ✓ | ✓ | ✓ |
| ✓ | ✓ | ✓ | ✓ | |
| Order number | ✓ | ✓ | ✓ | |
| Face photo | ✓(*) | ✓(*) | ✓(*) | |
| Video | ✓ |
(*) optional
Data Protection Officer
The Data Protection Officer (DPO) plays a crucial role in organisations, acting as a guardian of the privacy and security of personal data. With autonomy and independence, the DPO chosen by DocBay has in-depth knowledge of data protection legislation, such as the GDPR, as well as experience and training in cybersecurity. The DPO acts as an internal consultant, advising the company on all matters relating to the processing of personal data, with a view to minimising risks and protecting the rights of Personal Data Subjects.
Information protection
The entire DocBay platform has been designed according to the principles of Privacy by Design and Privacy by Default. This means that privacy must be an intrinsic priority for any DocBay product or service, being integrated from the outset and with the most secure settings as standard, guaranteeing the protection of user data from the outset.
We employ the most advanced security technologies to protect your personal data, including robust authentication systems, state-of-the-art firewalls and data encryption both in transit and in storage. However, it is crucial to emphasise that the nature of the internet entails inherent risks when transmitting data. Although we make every reasonable effort to minimise these risks, absolute security cannot be guaranteed. In addition, we inform you that the responsibility for the security of data before it reaches our servers lies entirely with the user, as it depends on the hardware and software they use and the vulnerabilities that may be associated with it.
Purpose of processing and retention period
The General Data Protection Regulation (GDPR) establishes that personal data must be processed lawfully, fairly and transparently, and that its collection and processing must be limited to what is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
One of the fundamental principles of the GDPR is the limitation of storage, which means that personal data must be stored, in a way that allows the identification of the data subject, for no longer than is necessary for the purposes for which it is processed.
The period for which data is kept varies depending on the purpose for which it was collected. There is no single, absolute period, and it is necessary to assess each case in detail, taking into account:
- Applicable legislation: There are laws and regulations that establish minimum retention periods for certain types of data (e.g. accounting data).
- Nature of the data: Sensitive data, such as health data, may require shorter retention periods.
- Purpose of processing: The purpose for which the data has been collected will determine the necessary retention period.
- Legitimate interests: The need to retain data to protect the legitimate interests of the data subject or third parties may also influence the retention period.
| Purpose of treatment | Conservation period | Justification |
|---|---|---|
| Customer management (contracts, invoicing) | 10 years (after the end of the contractual relationship) | Legal obligations (accounting, taxation) |
| Clinical process | 5 years (after the last service) | Required by law to keep the patient's medical history. |
| Teleconsultation | 5 years (after the last teleconsultation) | Necessary for keeping a history of teleconsultations between the healthcare professional and the patient. |
| Sending Messages - (Docbox) | 5 years (after the last message) | Necessary for keeping a history of patient communications/conversations. |
| Booking appointments | 1 year (after the last consultation) | Necessary for managing appointments and booking history. |
| Direct marketing | 2 years (after the last contact) | Consent of the data subject, which can be revoked at any time |
| Recruitment and selection | 2 years (after the selection process) | Employer's legitimate interest in contacting candidates for future opportunities |
| Security incident management | 1 year (after resolution of the incident) | Legitimate interest in protecting DocBay's systems and data |
Users' rights
The General Data Protection Regulation (GDPR) gives individuals, as holders of their personal data, a set of rights aimed at guaranteeing control over their data and their privacy.
Here are the main rights and the corresponding articles of the GDPR:
- Right to Withdraw Consent (Article 7): Where processing is based on consent, the data subject has the right to withdraw it at any time, without this detracting from the lawfulness of the processing carried out on the basis of the consent previously given until withdrawal.
- Right of Access (Article 15): The data subject has the right to obtain confirmation as to whether their data is being processed and, if so, to access that data and certain information, such as the purposes of the processing, the categories of data, the recipients of the data, among others.
- Right of rectification (Article 16): The data subject has the right to obtain the rectification of inaccurate or incomplete data.
- Right to erasure ("Right to be forgotten") (Article 17): The data subject has the right to obtain the erasure of his or her personal data without undue delay in certain situations, such as when the data is no longer necessary for the purposes for which it was collected.
- Right to Restriction of Processing (Article 18): The data subject has the right to obtain the limitation of the processing of his or her data in certain situations, such as when he or she contests the accuracy of the data or objects to the processing.
- Right to Data Portability (Article 20): The data subject has the right to receive his or her personal data that he or she has provided to a controller, in a structured, commonly used and machine-readable format, and to transmit that data to another controller.
- Right to Object (Article 21): The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, including processing for direct marketing purposes.
- Right not to be subject to automated individual decisions, including profiling (Article 22): The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.
Any user, as the owner of personal data, can exercise their rights by making a written request to dpo@docbay.com whenever they wish.
Data transfer outside the EU
Some of our service providers (subcontractors) have their datacentres based outside the European Economic Area, so we may transfer your personal data to third countries. We always ensure that these transfers fulfil the requirements of the GDPR, and that these providers also guarantee compliance with this regulation.
Profiling activities
We do not use any profiling systems or tools to process the personal data of users of the services provided by the DocBay Platform.
Links to other sites
This website and the mobile applications may contain links to other third-party websites. The inclusion of these links does not imply endorsement or approval of their content, privacy or security practices. By accessing a third-party site through our links, you will be subject to the terms and conditions and privacy policy of that site. We recommend that you consult these policies before providing any personal data.
Cookie policy
DocBay has developed a specific page to inform you about the cookies used on our website and mobile applications. On this page, you will find details about the types of cookies we use, their purposes and the duration of each one. We recommend that you read our Cookie Policy carefully before using our services.
Changes to the Privacy Policy
Docbay reserves the right to make changes to this Privacy Policy at any time, and such changes will be duly published on our website and mobile applications.
Contact
If you have any questions about your personal data, you can contact us by e-mail to dpo@docbay.com, or by post to the head office address Praça Conde de Agrolongo 123, Edifício GNRation U.F. de S. João do Souto e S. José de São Lázaro 4700-312 Braga
